Google: Sniffing Wi-Fi Data Was Legal, And Rare

The Wi-Fi data inadvertently collected by Google's Street View cars has only been accessed two times since the practice started in 2007, and Google does not believe its collection violated any U.S. law, the company told lawmakers Friday.

0shares

The Wi-Fi data inadvertently collected by Google's Street View cars has only been accessed two times since the practice started in 2007, and Google does not believe its collection violated any U.S. law, the company told lawmakers Friday.

"We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible," Pablo Chavez, director of public policy for Google, wrote in a letter to House lawmakers. "We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry."

Payload data refers to information that Google collected from unencrypted Wi-Fi networks. Last month, the company said that its Street View cars had mistakenly been collecting and storing personal information transmitted over unsecured wireless networks. Google said this data has never been thoroughly examined and likely does not contain identifying information, but regulators have expressed concern nonetheless.

"We are aware of only two instances when any Google engineer even viewed the payload data," Chavez wrote. "The first instance involved the individual engineer who designed the software. The second instance was when we became aware that payload data may have been collected from unencrypted Wi-Fi networks and a single security engineer tested the data to verify that this was the case."

Chavez's note was in response to a May letter that the co-chairmen of the House Privacy Caucus  Reps. Ed Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican  sent to Google asking for specific information about the security breach.

Google collects Wi-Fi data because it can help provide more accurate returns for its location-based services, like Google Maps or driving directions. GPS signals and cell tower locations can also be used, but because these two technologies "can be unreliable or inaccurate, in some cases using the location of Wi-Fi access points can enable a smartphone to pinpoint its own location more quickly and accurately," Chavez wrote.

The Wi-Fi data collection process and Street View  both of which started in 2007  are two separate products, Chavez said. Wi-Fi collection devices are simply mounted to Street View cars for convenience.

For Wi-Fi data to be useful, Google needs to collect a network's MAC address (a unique number on hardware like a router) and the SSID (the name assign to a wireless network). That should've been the only information collected by Google, but it also collected and stored bits of personal information from unencrypted networks; data from encrypted networks was automatically discarded. Collected information could include e-mails and browser history, but Google said that its software scans the networks so quickly (five per second) that it is unlikely that any complete data came through.

"We believe any payload data collected would likely be fragmented," Chavez wrote. "It is possible that the payload data may have included personal data if a user at the moment of collection broadcast such information, but we have not conducted an analysis of the payload data in a way that enables us to know exactly what was collected."

Google recently agreed to hand over collected data to German, French and Spanish data protection authorities. Chavez said Friday that, upon request, Google has already destroyed data collected in Ireland, Denmark, and Austria.

"We have been retaining data collected in the United States, consistent with our obligations related to pending civil litigation matters," Chavez wrote.

In the wake of the data collection discovery, Google grounded its Street View cars and segregated the payload data on its network, Chavez wrote. Going forward, "we have decided to stop our Street View cars from collecting Wi-Fi data entirely, including SSID and MAC address data," he said.

Rep. Markey said it is clear that Google fell short in the transparency and trust departments. "We have raised concerns about this matter with the Federal Trade Commission on this important issue and will continue to actively and aggressively monitor developments in this area," he said in a statement.

"This is deeply troubling for a company that bases its business model on gathering consumer data," he said. "That failure is even more disturbing and ironic in view of the fact that Google is lobbying the government to regulate Internet service providers, but not Google. As we are contemplating privacy legislation in the committee, I think this matter warrants a hearing, at minimum."

In a Friday blog post, Joel Gurin, the chief of the FCC's consumer and governmental affairs bureau, said that Google's behavior "raises important concerns."

He urged consumers to learn how to encrypt their networks. "The Google incident is a reminder that 'open' Wi-Fi networks  those that are not encrypted  are all too vulnerable to cyber snooping," he wrote.

Chloe Albanesius has been with PCMag.com since April 2007, most recently as Executive Editor for News and Features. Prior to that, she worked for a year covering financial IT on Wall Street for Incisive Media. From 2002 to 2005, Chloe covered technology policy for The National Journal's Technology Daily in Washington, DC. She has held internships at NBC's Meet the Press, washingtonpost.com, the Tate Gallery press office in London, Roll Call, and Congressional Quarterly. She graduated with a bachelor's degree in journalism from American University...
More »

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service